Schools warned over hackable heating systems

Image caption
Concerns have been raised that hackers could attack schools’ heating systems during a cold spell

Dozens of British schools’ heating systems have been found to be vulnerable to hackers, according to a probe by a security research firm.

Pen Test Partners says the problem was caused by the equipment’s controllers being connected to the wider internet, against the manufacturer’s guidelines.

It says it would be relatively easy for mischief-makers to switch off the heaters from afar.

But an easy fix, pulling out the network cables, can address the threat.

Even so, the company suggests the discovery highlights that building management systems are often installed by electricians and engineers that need to know more about cyber-security.

“It would be really easy for someone with basic computer skills to have switched off a school’s heating system – it’s a matter of clicks and some simple typing,” Pen Test’s founder Ken Munro told the BBC.

“It’s a reflection of the current state of internet-of-things security.

“Installers need to up their game, but manufacturers must also do more to make their systems foolproof so they can’t be set up this way.”

Image copyrightPen Test Partners

Image caption
Trend Control Systems tells customers not to connect its controllers directly to the public internet

The cyber-security company made its discovery by looking for building management system controllers made by Trend Control Systems via the internet of things (IoT) search tool Shodan.

It knew that a model, released in 2003, could be compromised when exposed directly to the net, even if it was running the latest firmware.

Mr Munro said it had taken him less than 10 seconds to find more than 1,000 examples.

In addition to the schools, he said he had seen cases involving retailers, government offices, businesses and military bases.

Pen Test blogged about its findings earlier in the week, but the BBC delayed reporting the issue until it had contacted and alerted all of the schools that could be identified by name.

But it responded to criticism that it could have done more to check its kit had been properly installed after the fact.

“Trend takes cyber-security seriously and regularly communicates with customers to make devices and connections as secure as possible,” said spokesman Trent Perrotto.

“This includes the importance of configuring systems behind a firewall or virtual private network, and ensuring systems have the latest firmware and other security updates to mitigate the risk of unauthorised access.”

He added, however, that the company would “assess and test the effectiveness” of its current practices.

One independent security researcher played down the threat to those still exposed, but added that the case raised issues that should be addressed.

“The risk is limited because criminals have little incentive to carry out such attacks, and even if they did it should be possible for building managers to notice what is happening and manually override,” said Dr Steven Murdoch, from University College London.

“However, these problems do show the potential for far more dangerous scenarios in the future, as more devices get connected to the internet, whose failure might be harder to recover from.

“And we still need manufacturers to design secure equipment, because even if a device is not directly connected to the internet, there almost certainly is an indirect way in.”